https://live.paloaltonetworks.com/t5/general-topics/user-id-not-updating-mappings-fast-enough/m-p/64156#M38525 <P>We have 2 user-agents deployed that read the AD logs and the PA7050's connect to the user-agents. The agents are running 6.0.7-10 and the PA7050's running 6.1.4.</P><P>We are having a problem where mulitple machines across various networks are using a "generic" login account. We have policies in place on the PA7050's that are enforced on these macihines through user-id. This works fine until an admin logs into one of these machines or runs an application as an admin on the machine. This over-writes the user-id mapping by design. The issue however comes when the admin logs out and then logs back in as the generic account, the user-id mappings are not being updated fast enough or at all it seems, which then leaves that machine to bypass the enforcment policies.</P><P>Has anyone else run into this issue?</P><P>Thanks</P><P>**I have thought of using the ignore-list for the admin login's, however this would be a few 100 names and could change monthly which is not really scable to daily operations.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 03 Sep 2015 20:39:20 GMT Gun-Slinger 2015-09-03T20:39:20Z https://live.paloaltonetworks.com/t5/general-topics/user-id-not-updating-mappings-fast-enough/m-p/64156#M38525 <P>We have 2 user-agents deployed that read the AD logs and the PA7050's connect to the user-agents. The agents are running 6.0.7-10 and the PA7050's running 6.1.4.</P><P>We are having a problem where mulitple machines across various networks are using a "generic" login account. We have policies in place on the PA7050's that are enforced on these macihines through user-id. This works fine until an admin logs into one of these machines or runs an application as an admin on the machine. This over-writes the user-id mapping by design. The issue however comes when the admin logs out and then logs back in as the generic account, the user-id mappings are not being updated fast enough or at all it seems, which then leaves that machine to bypass the enforcment policies.</P><P>Has anyone else run into this issue?</P><P>Thanks</P><P>**I have thought of using the ignore-list for the admin login's, however this would be a few 100 names and could change monthly which is not really scable to daily operations.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 03 Sep 2015 20:39:20 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-not-updating-mappings-fast-enough/m-p/64156#M38525 Gun-Slinger 2015-09-03T20:39:20Z https://live.paloaltonetworks.com/t5/general-topics/user-id-not-updating-mappings-fast-enough/m-p/64160#M38526 <P>Hello,</P><P>Not sure if its acceptable in your environemnt, but perhaps wmi probing could be used? Just be careful of where you have it enabled:</P><P>&nbsp;</P><P>User-id Best practices:</P><P><A href="https://live.paloaltonetworks.com/t5/Learning-Articles/Best-Practices-for-Securing-User-ID-Deployments/ta-p/61606" target="_blank">https://live.paloaltonetworks.com/t5/Learning-Articles/Best-Practices-for-Securing-User-ID-Deployments/ta-p/61606</A></P><P>&nbsp;</P><P>Security impact of wmi probing</P><P><A href="https://live.paloaltonetworks.com/t5/Learning-Articles/Customer-advisory-Security-Impact-of-User-ID-Misconfiguration/ta-p/59968" target="_blank">https://live.paloaltonetworks.com/t5/Learning-Articles/Customer-advisory-Security-Impact-of-User-ID-Misconfiguration/ta-p/59968</A></P> Thu, 03 Sep 2015 23:05:41 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-not-updating-mappings-fast-enough/m-p/64160#M38526 OtakarKlier 2015-09-03T23:05:41Z https://live.paloaltonetworks.com/t5/general-topics/user-id-not-updating-mappings-fast-enough/m-p/64162#M38528 <P>Or maybe Captive portal, although I must admit I think it would be for all users.</P><P>&nbsp;</P><P><A href="https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/user-id/map-ip-addresses-to-user-names-using-captive-portal.html" target="_blank">https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/user-id/map-ip-addresses-to-user-names-using-captive-portal.html</A></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 03 Sep 2015 23:15:30 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-not-updating-mappings-fast-enough/m-p/64162#M38528 OtakarKlier 2015-09-03T23:15:30Z https://live.paloaltonetworks.com/t5/general-topics/user-id-not-updating-mappings-fast-enough/m-p/64195#M38535 <P>Maybe I'm mistaken, but in the user-agent config,the "Security Log Monitor Fequency (sec.)" setting should take care of this for you.</P><P>&nbsp;</P><P>The login / run-as from the admin, log-off and subsequent login as a normal user should be recorded within this setting. &nbsp;In our enviornment this is set as 3 seconds. &nbsp;So unless I'm not understanding this correctly our enviornment would have this updated in 3 seconds or so, and would also take care of your issue as well.</P> Fri, 04 Sep 2015 14:45:21 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-not-updating-mappings-fast-enough/m-p/64195#M38535 Brandon_Wertz 2015-09-04T14:45:21Z https://live.paloaltonetworks.com/t5/general-topics/user-id-not-updating-mappings-fast-enough/m-p/64213#M38542 <P>Global Protect in internal mode or wifi/nac logs are the only options. Anything else is just noise.</P> Fri, 04 Sep 2015 20:03:31 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-not-updating-mappings-fast-enough/m-p/64213#M38542 cpainchaud 2015-09-04T20:03:31Z